MicrosoftWhat mechanisms is Microsoft adding to combat hostile mDNS respondents from spoofing legitimate hostnames already registered in the DNS? Will client name resolution after NetBIOS & LLMNR shutdown still rely on a first method with a response wins? Zero Trust Architecture states you can't trust the network because there's no perimeter anymore, but my understanding of mDNS (& the mDNS in the Enterprise blog entry) is that it assumes a secure muticast domain. This leaves only the option of client-side firewall rules for protection.
1) What about giving us a config option in DNS cache, or even domain TXT records, so that the OS's mDNS element is a proxy to managed DNS servers?
2) Then admins are responsible for IP devices being dynamically registered in the DNS either by the host or by the issuing DHCP server. That also preserves & provides secure Domain and/or DNSSEC resolution protection.
3) Require 1st party (MS) apps & devices to use the OS resolver instead of rolling their own. This is just common sense, c.f. why browser based dns clients are a bad idea. Then, admins can pursue & control 3rd party mDNS resolvers as needed.
4) Mining centralized DNS server logs for queries is a valuable source of threat hunting. Ensure Windows' mDNS logs activity in a fashion that can support those investigation objectives.
Thank you.
Background: I have more than a few year history with mixed Mac & Windows in operations & security. Pretty strong familiarity with Bonjour/mDNS & other dynamic resolution protocols.
